Merge pull request #6 from vechain/ecs-infra

Add env vars & fix security & networking
vechain · Aug 22, 2024 · f66f38f · f66f38f
2 parents 47aff70 + 982e301
commit f66f38f
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 35 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -7,6 +7,6 @@ RUN yarn install --frozen-lockfile
 RUN yarn build
 
 # Expose the port that the application listens on.
-EXPOSE 8080
+EXPOSE 8000
 
 CMD yarn start
diff --git a/config.json b/config.json
@@ -1,11 +1,11 @@
 {
-    "vet": 500,
-    "thor": 500,
-    "vetLimit": 1000000000,
-    "thorLimit": 10000,
-    "networkAPIAddr": "http://127.0.0.1:8669",
-    "maxAddressTimes": 5,
-    "maxIPTimes": 10,
-    "certificateExpiration": 600,
-    "recapchaMinScore": 0.5
-}
+  "vet": 500,
+  "thor": 500,
+  "vetLimit": 1000000000,
+  "thorLimit": 20000,
+  "networkAPIAddr": "https://testnet.vechain.org",
+  "maxAddressTimes": 5,
+  "maxIPTimes": 10,
+  "certificateExpiration": 600,
+  "recapchaMinScore": 0.5
+}
diff --git a/src/controllers/router.ts b/src/controllers/router.ts
@@ -70,4 +70,9 @@ router.post("/requests", async (ctx) => {
     reportLogger.info(`IP=${remoteAddr} Address=${signer} Score=${score}`)
 })
 
+// Health check endpoint
+router.get("/health", async (ctx) => {
+    ctx.body = "OK"
+})
+
 export default router
diff --git a/terraform/backend/domains.tf b/terraform/backend/domains.tf
@@ -12,5 +12,13 @@ module "faucet-domains" {
   subdomain_type          = "CNAME"
   create_cert             = true
   # Cert domain will default to env.domain_name (or just domain_name for prod), but can be overriden here.
-  cert_domain_override    = "${local.domain_prefix}.vechain.org"
+  cert_domain_override    = "api.${local.domain_prefix}.vechain.org"
 }
+
+resource aws_route53_record "backend_cname" {
+  zone_id = module.faucet-domains.public_zone_id
+  name    = "api.${local.domain_prefix}.vechain.org"
+  type    = "CNAME"
+  ttl     = 300
+  records = [module.ecs-lb-service-faucet-be.alb_dns_name]
+}
diff --git a/terraform/backend/faucet-backend.tf b/terraform/backend/faucet-backend.tf
@@ -1,3 +1,10 @@
+data "aws_ssm_parameter" "private_key" {
+  name = "/${local.env.environment}/${local.env.project}/private_key"
+}
+data "aws_ssm_parameter" "recaptcha_secret_key" {
+  name = "/${local.env.environment}/${local.env.project}/recaptcha_secret_key"
+}
+
 variable "runtime_platform" {
   type = list(object({
     operating_system_family = string
@@ -50,14 +57,6 @@ module "alb-sg" {
       ipv6_cidr_blocks = []
       security_groups  = []
     },
-    {
-      description      = "Allow Dynamodb TCP traffic"
-      from_port        = 8000
-      to_port          = 8000
-      protocol         = "tcp"
-      cidr_blocks      = [local.env.vpc_cidr]
-      ipv6_cidr_blocks = []
-    }
   ]
 
   egress_rules = [
@@ -84,36 +83,25 @@ module "ecs-sg" {
 
   ingress_rules = [
     {
-      description      = "Allow Dynamodb traffic"
+      description      = "Allow HTTP traffic from LB"
       from_port        = 8000
       to_port          = 8000
       protocol         = "tcp"
       cidr_blocks      = [local.env.vpc_cidr]
       ipv6_cidr_blocks = []
-      security_groups  = []
-    },
-    {
-      description      = "Allow HTTP traffic"
-      from_port        = 80
-      to_port          = 80
-      protocol         = "tcp"
-      cidr_blocks      = [local.env.vpc_cidr]
-      ipv6_cidr_blocks = []
-      security_groups  = []
     }
   ]
 
   egress_rules = [
     {
-      description      = "Allow Oubound PostgreSQL traffic"
+      description      = "Allow all traffic"
       from_port        = 0
       to_port          = 0
       protocol         = "-1"
       cidr_blocks      = ["0.0.0.0/0"]
       ipv6_cidr_blocks = []
     }
   ]
-
 }
 
 # ECS cluster for backend service
@@ -149,16 +137,45 @@ module "ecs-lb-service-faucet-be" {
   cpu                        = local.env.cpu
   memory                     = local.env.memory
   cidr                       = local.env.vpc_cidr
-  container_port             = 8080
+  container_port             = 8000
+  https_tg_port              = 8000
   runtime_platform           = var.runtime_platform
   certificate_arn            = module.faucet-domains.certificate_arn
   ecs_sg                     = [module.ecs-sg.security_group_id]
   rule_0_path_pattern        = ["/api/v*", "/api-docs", "/swagger-ui/*"]
   alb_sg                     = [module.alb-sg.security_group_id]
   enable_deletion_protection = true
   namespace_id               = module.namespace.namespace_id
-  https_tg_healthcheck_path  = "/api"
+  https_tg_healthcheck_path  = "/health"
   environment_variables = [
+    {
+      "name": "NODE_ENV"
+      "value": "production"
+    },
+    {
+      "name": "PRIV_KEY"
+      "value": data.aws_ssm_parameter.private_key.value
+    },
+    {
+      "name": "CHAIN_TAG"
+      "value": "0x27"    
+    },
+    {
+      "name": "FAUCET_PORT"
+      "value": "8000"
+    },
+    {
+      "name": "RECAPCHA_SECRET_KEY"
+      "value": data.aws_ssm_parameter.recaptcha_secret_key.value
+    },
+    {
+      "name": "FAUCET_CORS"
+      "value": "faucet.vecha.in"
+    },
+    {
+      "name": "REVERSE_PROXY"
+      "value": "yes"
+  },
   ]
   log_metric_filters = [
     {